CVE-2021-22145

high-risk

Published 2021-07-21

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

Do I need to act?

67.9% chance of exploitation in next 30 days

EPSS score — higher than 32% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

50149

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Elasticsearch

Communications Cloud Native Core Automated Test Suite

Affected Vendors

Oracle Elastic

References (9)

Exploit http://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosu...

Vendor Advisory https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177

https://gist.github.com/lucasdrufva/f9c5d7c9e26ee087b736d727953afd34

Third Party Advisory https://security.netapp.com/advisory/ntap-20210827-0006/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Exploit http://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosu...

Vendor Advisory https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177

Third Party Advisory https://security.netapp.com/advisory/ntap-20210827-0006/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

/ 100

high-risk

Severity 24/34 · High

Exploitability 19/34 · Moderate

Exposure 7/34 · Low